Exotic Lily is a business-like access broker for ransomware gangs

A group with links to high-profile ransomware crews Conti and Diavol is working as an internet access broker (IAB) for a Russia-linked cybercriminal gang, according to Google's Threat Analysis Group (TAG).

Exotic Lily gains access to vulnerable corporate networks then sells that access to the highest bidder among threat groups, which then run ransomware and other attacks against the victim. The group launches large-scale phishing campaigns, at one point sending as many as 5,000 emails a day to up to 650 targeted organizations around the world.

The group initially went after such industries as IT, cybersecurity and healthcare, but as of November 2021 it appears to be targeting a broad range of industries with a less specific focus, Google researchers wrote in a blog post.

TAG initially detected Exotic Lily – which the researchers describe as a "resourceful, financially motivated threat actor" – in September 2021 exploiting a zero-day flaw in Microsoft MSHTML (tracked as CVE-2021-40444). Further investigation discovered that the group was acting as an IAB working with a Russian gang known as FIN12 by cybersecurity vendors Mandiant and FireEye, Wizard Spider by CrowdStrike, and DEV-0193 by Microsoft.

Google earlier this month said it is buying Mandiant for $5.4bn.

"We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation," the TAG researchers wrote.

In a more unique move, Exotic Lily also uses legitimate file-sharing services like WeTransfer, TransferNow, TransferXL, and OneDrive to deliver its payload to evade detection techniques. Such a high level of human interaction is unusual for threat groups that work on mass-scale operations, where automation technologies are common.

Exotic Lily's attack chain is consistent, using domain and identity spoofing techniques to masquerade as a legitimate organization or employee. A spoofed domain would look like an existing organization's real domain name, with the only change being top-level domains ".us," ".co" or .biz."

The group initially also created fake personas that posed as employees of a real company, an effort that included creating social media profiles and personal websites, and generated fake profile pictures via AI-generated images of human faces, the Google researchers wrote. In November, Exotic Lily began to impersonate real employees at the targeted companies by copying their personal data from social media and business databases like CrunchBase and RocketReach.

• CISOs face 'perfect storm' of ransomware and state-supported cybercrime
• Russia's invasion of Ukraine tears open political rift between cybercriminals
• New US law: Cyberattacks to be reported within 72 hours
• Extradited Canadian accused of unleashing NetWalker ransomware

"Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service," TAG wrote. "Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements."

The Exotic Lily attackers would then upload the malicious payload to one of the public file-sharing services and use a built-in email notification feature to share the file with the potential victim.

By doing this, the final email would originate from the email address of a legitimate file-sharing service and not the attacker's email, making it look more legitimate and easier to evade detection.

The group's malware continues to evolve. Initially using documents containing an exploit for Microsoft MSHTML, Exotic Lily switched to delivering ISO files with hidden BazarLoader dynamic link libraries (DLLs) and malicious LNK shortcuts. Samples seen by TAG suggest they were custom-built for the group's use. This month, Exotic Lily continued to deliver ISO files but with a DLL containing a more sophisticated custom loader. The malware uses a unique user-agent "bumblebee," which is shared by earlier and later variants.

The malware, named "Bumblebee" by TAG, uses Windows Management Instrumentation (WMI) to collect such information as the operating system version and user and domain names.

In researching Exotic Lily, TAG researchers found that the gang operates in a business-like fashion, with members working typical 9-to-5 shifts and with little activity on the weekends. The distribution of the working hours suggest they're based in Central or Eastern Europe.

It echoes what researchers found when analyzing the leaked documents from Conti, which showed an organization that includes a corporate hierarchy complete with a CEO figure, HR and recruitment operations, and requests by workers to managers for time off. ®